the original idea i think is somewhat terrible in a multi-user
enterprise-y kind of environment since you'll wind up telling users that
they have to wait 2 seconds before entering their passphrase
constantly. for your home server it might work, but you can always
setup public keys or OTP pretty easily as well, in addition to fail2ban.

you can also use pam_tally to only allow 6 failed passwords in a row
before locking the account. i run the cronjob to unlock all the
accounts every 30 mins or so, which only allows a velocity of 12 guess
per hour on a single account, while not requiring users with locked
accounts to call up a helpdesk.